Boot2Root
Giant space Ball
Reconnaisance
For reconnaisance phase, as usual use nmap to scan open port in the machine.
Figure 2.0 shows that, SMB port is open.
Enumeration
Figure 3.0 shows that, using 'enum4linux' tool to enumerate SMB service in the machine.
During the enumeration using enum4linux, found there is username 'sidious' and there is another directory that can be access in SMB service which is '/backups'/. It was a shared directory.
Access the directory using 'smbclient' command. In the '/backups' directory, there was a text file. Download it using 'get' command.
Figure 6.0 shows that, found the credentials but the password is encrypted in hash value (sha-256). Needs to crack the hash value.
As shown in Figure 7.0 to crack the hash value, can use online tools such as https://crackstation.net/. Then, the hash value successful cracked.
Figure 8.0 shows that, using the credentials to login SSH service.
Figure 9.0 shows that use 'find' command to find SUID files. The top list directory in Figure 9.0 which is '/mnt/sithshare/bash' look interesting. Let's look at it.
Navigate to the directory and found bash files. We can use command './bash -p' to allow default 'sh' shell to run with SUID privileges.
After we gain root privilege use 'find' command to find flag in the machine.
Digidoc
Reconnaisance
Figure 1.0 shows that, nmap result scan for Digidoc machine. There are 3 port open which is port http (80), SSH (22) and FTP (21). As we can see in Figure 1.0, there are files in the FTP services which is key.txt and readme.txt.
Enumeration
After doing port scanning, since there is port http (80) let's scan that port using 'dirsearch'. Dirsearch scan result shows that there is login page and uploads page.
After successful login as a guest, notice there is object reference which it's vulnerable with IDOR attack. Let's brute force the object reference.
After doing brute force attack on the object reference until '5', there is account information about admin which access id.
Go to inspect element or cookies editor, change value.
After change it to admin, found upload page that only accept JPEG and PNG image. From this reverse shell file can be upload to the server but need a little modify on the reverse shell file. The upload server has extension validation which is it only accept file that contain '.png' and '.jpeg'. But the server doesn't block extension '.phtml' so use it as the extension for the shell file.
Search simple web shell on github, then put 'PNG' header at the top of the web shell file. Since the upload server have magic byte validation means it will check the file that will uploaded containing 'PNG' hex value or not or 'JPEG' hex value.
Successfully upload the web shell file to the server.
After getting web shell like this, command like ls,cat,pwd and find can be used. After found a text file named 'flag.txt' it was not the flag. Need to do privilege escalation to obtain the real flag.
After further enumeration into the server, found another interesting file 'passwd.txt'.
Using cat command to display contain of the 'passwd.txt' and found encrypted text. Just now, key.txt file was found in the FTP server. The key.txt file contain hash value so, maybe that is the key for decrypted the encrypted text.
Using anycript.com to decrypt the encrypted text. Choose 256 Bits and encryption mode is ECB. Then decrypt the encrypted text. Look's like the decrypted text is a password. Just now, found the flag at '/home/alvin/flag.txt'. Means the user is alvin.
With credential obtain earlier, use it for SSH login.
Privilege Escalation
Enumerate the cronjob to find any files that can do to gain root privilege. From Figure 16.0, look's like file name '.compress.py' is running by root. Let's inject reverse shell code to the script files.
Replace contain of the file with reverse shell script. Since this file is running with crobjob let's wait a while.
Setup listener and get the root shell. Obtain the flag.
Last updated